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■ Abstract 

' A two-layer quantum protocol for secure transmission of data using qubits is pre- 

sented. The protocol is an improvement over the BB84 QKD protocol. BB84, in con- 
junction with the one-time pad algorithm, has been shown to be unconditionally secure. 
However it suffers from two drawbacks: (1) Its security relies on the assumption that 
Alice's qubit source is perfect in the sense that it does not inadvertently emit múltiple 
copies of the same qubit. A multi-qubit emission attack can be launched if this assump- 
tion is violated. (2) BB84 cannot transfer predetermined keys; the keys it can distribute 
are generated in the process. Our protocol does not have these drawbacks. 
' As in BB84, our protocol requires an authenticated públic channel so as to detect an 

, intruder's interaction with the quantum channel, but unlike in symmetric-key cryptog- 

' raphy, the confidentiality of transmitted data does not rely on a shared secret key. 
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1 Introduction 



Since the appearance of the BB84 protocol , a growing class of quantum cryptographic 
protocols has emerged. BB84 and its variants [3] aim at providing perfect security in 
transferring classical data between two parties. However, these protocols are key establish- 
ment protocols rather than data transfer protocols. They provide ultimate data security by 
gener ating a random sequence of bit which is shared between Alice and Bob. The sequence 
is then used as a one-time pad or as a symmetric key. Because this sequence is generated in 
the process of protocol execution, it cannot be known in advance. This can be a drawback in 
applications where a predefined sequence of bits is to be distributed securely. Our protocol 
can be used to avoid this drawback. Also, though expensive, in some applications it may 
be justifiable to use the quantum channel to send confidential data as opposed to using the 
classical channel. Our protocol can be used in those situations as well. 

It has been shown that BB84 is unconditionally secure j2H3j- However this fact depends 
on the assumption that the qubit source does not emit múltiple replicas of the same qubit. 
In BB84, Alice generates a sequence of qubits which have been chosen at random from one 
of two predefined bases. She then sends a random sequence of bits using those qubits. Bob 
makes measurement on the qubits upon receipt and then waits for the basis information 
from Alice. The basis information comes through a públic authenticated channel. If the 
qubit source emits múltiple replicas for each intended qubit, an eavesdropper (Eve) on the 
quantum channel can capture and preserve the qubits until the basis is announced by Alice. 
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At that time, Eve can perform measurement in the correct basis and obtain the bits send 
by Alice. This is called a multí-qubít emíssíon attack. Our protocol is not vulnerable to 
this kind of attack because information crucial to correct measurement of the qubits is not 
transmitted or broadcast. 

In our protocol, as in BB84 and other key exchange protocols, the availability of an 
authenticated (though not private) channel is an indispensable element. This channel is the 
very essential means by which Bob can identify Alice and differentiates her from Eve. In 
key exchange protocols without an authenticated channel, Eve can launch a successful man- 
in-the-middle attack. In our protocol, qubits are exchanged between Alice and Bob, and 
they must make sure that the qubits are not altered or inserted by Eve. An authenticated 
channel is required for them to ensure this. 

Our protocol has two major advantages over BB84 (explained above), but it comes at 
a cost: The qubits must make a round trip instead of a one-way trip. At a time when 
sending qubits over long distances is a technical challenge, this requirement may sound too 
troublesome. However, there is a trade-off: A round trip must be weighted against the 
challenge of making a single-qubit source. 

This paper is organized as follows: In the next section, we present the key ideas and 
properties used in our protocol. Then in Section 01 the proposed protocols are presented. 
In Section 0J we discuss the correctness and security of our protocol. At last in Section [üj 
we summarize the results of our paper. The appendix contains some of the technical points 
that are necessary but are not crucial to understanding the concepts. 

2 Preliminaries 

In this paper, we have borrowed some key concepts from BB84. One key concept which 
is not from BB84 is the following: Suppose Bob wants to send one bit to Alice. Alice sends 
a random bit to Bob and she remembers this bit. Bob performs an exclusive-or between 
Alice's bit and his bit and sends the result to back Alice. Alice can recover Bob's bit. This 
is perfectly secure if Eve cannot inspect Alice's bit on the way to Bob. If Eve inspects the 
bit being sent from Bob to Alice, she will not know Bob's bit. Of course, we should also 
prevent the possibility of a man-in-the-middle attack by Eve. 

It is hard to realize the above idea in classical cryptography. However, in quantum 
cryptography this can be realized at least in one way that is presented in this paper. 

The whole idea of quantum cryptography revolves around the concept of a qubit. A 
qubit \ifj) is a quantum state vector in a two dimensional Hilbert space H2. A qubit can be 
measured with respect to any given basis in Bfe. In quantum computation, the basis {|0), |1)} 
is called the computational basis. Measuring a qubit \ip) = a|0) + b\l) in the computational 
basis will change it to |0) or |1) with probabilities |a| 2 and |6| 2 , respectively. The observed 
outcome is lògic value '0' with probability \a\ 2 or lògic value '1' probability \b\ 2 . Hereafter, 
whenever a qubit is "measured", we mean it is measured in the computational basis. 

In protocols discussed in this paper, Alice and Bob rotate qubits around a known fixed 
axis in the Bloch sphere [üj page 15]. Without loss of generality and for the sake of conve- 
nience, we choose this axis to be the y-axis. To perform a rotation around the y-axis by an 
angle 9, a given qubit must be operated upon by the following operator: 




2 



It is easy to verify that for all angles a, (5 and 9, the following statements hold: 

R(a)R(f3) = R((3)R(a) = R(a + 0), R^(9) = R{-9). 
We will work with the following family of qubits: 

\m) = m\o) = cos ||o> +si n ||i>. 

Since |0) is the state vector coinciding with the unit vector along the z-axis in the Bloch 
sphere, then every \^{9)) is a rotated version of the qubit |0) rotated by an angle 9 around 
the y-axis in the xz-plane. Also be reminded that any two qubits whose Bloch sphere 
representations are colinear and point in opposite directions, e.g. \4>{9)) and \ip(9 + 7r)), are 
orthogonal to each other and hence they can be detected and distinguished with perfect 
certainty. 

Suppose \ip(0)} is known by Alice to encode one of two lògic vàlues or 1. If she makes 
measurement in the computational basis on this qubit, she will obtain with probability 
cos 2 | and will obtain 1 with probability sin 2 |. However if Alice knows the value of 9, and 
if she operates R^(9) on this qubit before making measurement in the computational basis, 
then she will obtain with probability 1 (perfect certainty). 

Now suppose that Alice receives \4>) and she knows this qubit is either \ip(9)), or \tp{6 + 
7r)). Without knowing 9, if she makes measurement, the outcome will be or 1 at random, 
the probability of each depending on the actual state she received. On the other hand, 
if Alice knows the value of 9, she can perform the unitary operation R)(9)\<f>) and then 
followed by measurement in the computational basis. With probability one, she will obtain 
if = \ip(9)) or obtain 1 if \<f>) = \tfj(9 + ir)). Therefore with known angle 9, the states 
\ip(9)) and \ip(9 + -ir)) represent and 1, respectively, and can be distinguished with perfect 
certainty. 

In what follows, we use the random variable X to denote the binary information trans- 
mitted, the random variable Y to denote the binary information received by an intended 
party, and the random variable Z to denote the information bit obtained by an intruder. 
Adopting Shannon's definition, we deem a protocol as unconditionally secure if H(X\Y) = 
and H(X\Z) = H{X). The first condition means that Y reveals everything about X. The 
latter means that Z reveals nothing about X; this is true if and only if X and Z are 
independent. 

We now prové some propositions that represent our key ideas and will be used later. 
Consider a set of distinct angles {9o, Oi, ■ ■ ■ , 9 n -\}, all in [0, 2ir]. Suppose Alice prepares a 
qubit \ip) = R(9k + 7rA)|0), where 9k was selected with probability pk, and X <G {0, 1} is a 
binary random variable (which is Alice's data). 

Proposition 1 If Alice sends the qubit to Bob. If Bob knows 9^, he can recover X without 
error. 

Proof. 

Bob can perform a unitary operation and obtain \<j>) as follows: \<j>) = RJ(9)\ip) He then 
makes measurement to obtain Y. We have: 

\<j)) = cos(^A/2)|0) + sin(7rX/2)|l) 

Prob(Y = | X = 0) = 1, Prob(Y = 1 | X = 0) = 

Prob(T = | X = 1) = 0, Prob(Y = 1 | X = 1) = 1. 

This obviously implies: H(X\Y) = 0. Hence the desired conclusion follows. O 
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Proposition 2 Alice sends the qubit to Bob. Eve, who does not knows 9 k , intercepts and 
rotates it by an arbítrary angle of her choice —a, makes measurement on the qubit and 
obtaíns a binary value Z. There exíst a probabilíty dístribution p k and a set {9q, 9±, . . . , 9 n -i} 
such that H{X\Z) = H{X). 

Proof. 
We have: 

\i/>) = cos[(9 k + ttX)/2] |0) + sïn[(9 k + ttX)/2] |1) 
Eve's rotation produces: 

R{-a)\ip) = cos[{9 k + irX - a)/2] |0) + wn[(O h + irX - a)/2] |1). 
The probabilities for Eve's measurement outcome is: 



Prob(Z = | k, X = 0) = cos 
Prob(Z = 1 | k, X = 0) = sin 



2 flfc - a 
2 ' 
2 u k - a 



Prob(Z = | k,X = 1) = sin 
Prob(Z = 1 | k,X = 1) =cos 



2 Ok-at- 
2 ' 

2 9 k -a 



Therefore: 



n-1 



Prob(Z = | X = 0) = Prob(Z = 1 | X = 1) 
Prob(Z = | X = 1) = Prob(Z 



y~] Pk c( >s 

fc=0 



2 ^fc 



O 



n-1 

1 I = 0)=^ a s:m 
fc=0 

The variables X and Z are independent if and only if: 



2 

2 9 k - a 



Prob(Z = | X = 0) = Prob(Z = Q\X = 1), 

Prob(Z = 1 | X = 0) = Prob(Z = 1 | X = 1). 
Therefore #(X|Z) = iï(X) if and only if: 



n-1 



2 6> fc - a 



n-1 



. .J cos 

fc=0 " fc=0 



sm 



2 9 k -a 



(1) 



We must find p^'s and such that Equation Q holds regardless of the choice of q. In 
Appendix A, Claim 1, it is shown that this is possible by setting 



n > 2, p k 



n 



2kir 



n 



for k = 0,1, 2,..., n-1. 



Thus the conclusion follows. O 



Proposition 3 Suppose Alice sends the qubit to Bob. Eve who does not knows 9 k intercepts 
the qubit and performs a rotation by an angle of her choice a. She then makes measure- 
ment on the qubit and then transmits the resulting qubit, denoted \4>i), to Bob. If Bob 
knows 9 k , and if he performs the following unitary operation | çí>2 ) = R followed by a 

measurement of\<f>2), then the channel between Alice and Bob has an error probability equal 
to: 



n-1 



Prob(error) = ^^Pfc 

k=0 



. 2®k 2 ®k — 

sm — cos 

2 2 



« . 2 "k ■ 2 tí k - 

h cos — sm 

2 2 
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Proof. 

We are looking for P(Y\X) and do this by conditioning on Z and k. 



p(y\x) = Y,Y1 p{ y\ x > z > k ) p ( z \ x > k ) p ^\ x )- 



k Z 

Since k is chosen with probability p k independent of X, then 

P(k\X)=p k , fc = 0,l,...,n-l. 
After Eve's measurement, there are two cases to consider: 

1. Z = 0. In this case: \(j>\) = |0). After Bob's rotation. we have 

|0 2 > = R\0)\<h.) = cos ^|0>- sin^|l). 



After Bob's measurement we have: 



Prob(Y = | k, X, Z = 0) = cos 2 y , Prob(Y = 1 | jfe, X, Z = 0) = sin 2 

2. Z = 1. In this case: \<pi) = |1). After Bob's rotation. we have 

|02) = iï t Wl^i} = sin^|O) + cos^|l}. 



9k 



After Bob's measurement we have: 

Prob(Y = | k, X, Z = 1) = sin 2 — , Prob(Y = 1 | k, X, Z = 1) = cos 



2 X3^UfV - 1 it v _ _ ^fc 

2 ' 



The conditional probabilities for Z given X, k were obtained in Proposition (J2J) . Using 
those, we can compute the following: 



. 2 ®k . 2 ®k - a 2 6k 2 9 k - a 
sm — sm h cos — cos 



Vk 



2 2 2 2 



. 2 ®k 2®k — Ot 2@k . 2 @k — a 

sm — cos h cos — sm 

2 2 2 2 



Prob(Y = | X = 0) = Prob(Y = 1 | X = 1) = ^ 

fc=0 
n-l 

Prob(Y = | X = 1) = Prob(Y = 1 | X = 0) = 

fc=0 
Note that: 

Prob(error) = P(A" = 0)P(Y = 1\X = 0) + P(A" = l)P(Y = 0|X = 1) 
Therefore regardless of -P(AT) we find: 

2 &k 2 @k — Oí 2 ®k . 2 @k ~ a 



Prob(error) = S }^ j Pk 

k=0 



sm — cos h cos — sm 

2 2 2 2 



(2) 



The proof is complete. O 



5 



Proposition 4 In Proposítíon\^ suppose we set 

1 „ 2kir 

n>2, p k = v k = , 

n n 

then 

with equality when a = 
Proof. See Appendix A, Claim 2. O 

This proposition means that by certain choice of p^s and O^s (as prescribed above) we 
can be sure that Eve's interaction will be detected with probability at least 1/4. Also, from 
the point of view of Eve, who wants to minimize her probability of being detected, this 
means that her best strategy is to do measurement only without any rotations. This result 
will be used in the analysis of our qubit authentication protocol (Protocol 1). 

3 Proposed Protocol 

First we present a protocol for sending authenticated qubits. Then we present a protocol 
for sending secure data using authenticated qubits. 

3.1 Sending Authentic Qubits 

We define an authentic qubit as a qubit which has been sent by Alice and received by 
Bob such that Eve has not altered it in any way along the way. Suppose Alice wants to 
send authentic qubits to Bob. For convenience, we restrict our discussion to the family of 
qubits residing in the zz-plane. 

Protocol 1 Suppose Alice has a sequence of N qubits \4>2)i ■ ■ ■ , IV'Jv)) an d wishes 
to send them to Bob in an authenticated way. We assume that a classical bidirectional 
authenticated channel exists between Alice and Bob. Also assumed is a set of publicly- 
known distinct angles 9^ = k = 0, 1, . . . , n — 1. 

1. Alice selects M integers uniformly at random in {0, 1, . . . , n— 1}, denoted fei, . . . , k,M- 

2. Alice creates qubits \<j>\), ■ ■ ■ , \4>m), such that for each i G {1, 2, ... , M} 

|&) = R(2ki7r/n) |0>. 

We call these the check qubits. 

3. Alice generates M distinct random integers ji, j'2, • • • ,3m i n {1> 2, . . . , N + M}. She 
then creates a frame of length N + M and inserts each \<pi) at location ji in the frame. 
Then the sequence of qubits | ip±), \1jJ2), ■ ■ ■ , I^Pn), are inserted at the empty locations 
in the frame preserving their order. 

4. Alice sends the frame to Bob. Bob receives the frame. 



Prob(error) > — , 
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5. Alice sends the following data to Bob: 

(h, h), {h, h), ■ ■ ■ , Üm, k M ). 
These data are sent via the classical authenticated channel. Eve can read these data. 

6. Knowing jj's, Bob extracts the sequence of |</>i)'s from the frame, and for each i = 
1,2,..., M, he performs w (2fcj7r /n)|^>j) . Then he measures the resulting state. The 
outcome must be a logical '0' for all i € {1, 2, . . . , M}. If this condition does not hold 
for any \(f>i), the frame is said to have an authentícation error. 

7. If there is an authentication error, Bob notifies Alice and both drop the frame. Oth- 
erwise, the frame is considered unaltered and the sequence of \ipí}'s is deemed to be 
authentic. 

At a given level of certainty (determined by parameters N and M), this protocol uses a 
classical authenticated channel to create an authenticated quantum channel. This protocol 
is analyzed in Section |1J We use this protocol as a tool to prevent the man-in-the-middle 
attack in our confidential data transfer protocol (Protocol 2). 

3.2 Sending Confidential Qubits 

In this section, we present a protocol that enables sending confidential data over the 
quantum channel. In this protocol, qubits make a round trip from Alice to Bob to Alice 
and undergo a unitary operation by Bob along the way The protocol is described below. 

Protocol 2 Suppose Bob has a sequence of N data bits X\,X2, ■ ■ ■ ,xn where xí G {0, 1}. 
The existence of a classical bidirectional authenticated channel exists between Alice and 
Bob is assumed. 

1. Alice generates a sequence of random integers k\, k2, • ■ ■ > &iV where h L € {0,1, ... ,n — 
1}. She keeps these integers confidential to herself. 

2. Alice creates n qubits \ipu), \1p12), ■ ■ ■ , \iPin), such that \ipu) = ^(^r 1 )!^)- 

3. Alice sends the N qubits to Bob using Protocol 1. 

4. Bob receives the N authenticated qubits from Alice. On each \tpu), without making 
measurement, he performs the unitary operation R(ttxí) to produce the qubit sequence 

1^21), 1^22), • • • , \lp2N) 

where (V^í) = R(^Xi)\tpii) . This sequence is sent to Alice in an authenticated way 
using Protocol 1. 

5. Alice receives the authenticated qubits. On each qubit \ip2i), she perform unitary 
operation i?^^ 1 ). The resulting sequence denoted 

|^3l), 1^32}, • • • , \4>3n) 

is then measured to produce bit sequence yi,U2, ■ ■ ■ ,Un- This sequence is deemed to 
be the sequence sent by Bob. 

As shown in Propositions 1 through 4, there seems to be no advantage in selecting n > 3. 
Therefore we propose setting n = 3 in both protocols. 
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4 Analysis 



In this section, we analyze the two protocols to show that they indeed serve their in- 
tended purposes. In our analysis, we take advantage of the propositions set forward in the 
preliminary section. Since our primary purpose in this paper is introducing a protocol for 
confidential data transfer, We analyze Protocol 1 first while assuming Protocol 2 serves its 
purpose perfectly (i.e., sending authentic qubits). 

4.1 Analysis of Protocol 2 

We analyze this protocol in two steps: First we show it is correct, second, we show it is 
secure. 

Correctness 

We show that Protocol 2 works correctly by invoking Proposition 1. Notice that Alice 
prepares each qubit \ipu) at a certain angle which she only knows. Bob encodes his 
data bit in the qubit by performing R{nxi)\ip\i) . Doing so means that Alice's qubit either 
remains the same or is rotated by an angle ir. In Proposition 1, Alice encodes her data and 
sends to Bob. If Bob knows the original qubit's angle can recover Alice's data. In the case 
of Protocol 2 (which is slightly different), it is Bob who encodes his data, but since he does 
not know the qubit's angle, he sends it to Alice who (by the reason of Proposition 1) can 
recover Bob's data without error. Therefore, Protocol 2 is correct. 

Security 

We show that Protocol 2 is secure. This means that an intruder (Eve) cannot recover Bob's 
data. We do this in the following: 

a) Note that if Eve can find out the angle for each qubit \ipu), she, like Alice, can 
recover Bob's data. An invocation of Proposition 2 will prové that this is not possible. 

First notice that Protocol 2 uses the specific set of p^'s and O^s that satisfles Propo- 
sition 2 for security. (Thus Equation Q is satisfied.) Next, notice that the first 
trip of a qubit from Alice to Bob corresponds to the same trip in Proposition 2 with 
the exception that Alice's data is set to a constant lògic '0'. Since the condition for 
Equation Q is met by our specific choice of pkS and 9k : s, therefore: 

Prob(Z = | X = 0) = Prob(Z = 1 | X = 0) = -. 

This means that when Eve (intercepts and ) measures each \ipu) ( possibly after 
a rotation of her choice), then she observes lògic '0' or '1' with equal probability, 
regardless of Alice's choice of angle ^^ i · Therefore, she can't get any information 
about the qubit's angle in its trip from Alice to Bob. 

b) Although the conclusion in item b) is good news, note that if there are only two angles 
for Alice to choose from (i.e., n = 2) then that conclusion will break down because 
Eve know Alice's data is '0', and since Alice can only prepare one of the two states 
i?(0)|0) or i?(-7r)|0), then Eve can find out the angle with certainty because the two 
states are orthogonal. Therefore we have to impose the condition n > 2 for the sake 
of security. 
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c) To show that performing Protocol 1 is essential in the first leg of the trip, we assume 
that Alice sends the qubits to Bob without performing Protocol 1 (thus modifying 
Step 3 in Protocol 2). While Eve can get no information about the specific choice 
of qubit angles by Alice, Eve is still able to launch the following man-in-the-middle 
attack: 

Eve intercepts and performs measurement on Alice's qubits. This allows her to know 
the state of each qubit (they will be either |0) or |1}.) She then sends these to 
Bob. (Or she might as well drop Alice's qubits and send her own.) Bob, who is 
not aware, encodes his data in Eve's qubits and send them to Alice. Eve intercepts, 
makes measurement (thus perfectly recovering Bob's data), and then sends arbitrary 
qubits to Alice. Alice's measurements (after appropriate rotations that she knows) will 
produce gibberish. But Eve has managed to steal Bob's data. Thus it is absolutely 
essential that Bob knows that the qubits he receives are authentic; that is, they 
come from Alice without Eve having the opportunity to intervene. This is the job of 
Protocol 1 (assuming it works flawlessly.) 

d) On the return trip for qubits (from Bob to Alice), Eve can intercept and make mea- 
surement on the qubits. These qubits carry data, however a direct invocation of 
Proposition 2 shows that no data can be gained by Eve if she intercepts (Apply 
Proposition 2). However, if Bob does not use Protocol 1 (in Step 4) in transmitting 
the qubits back to Alice, a malicious Eve can intercept, drop the qubits and insert 
her own. In this case, Alice will receive gibberish instead of meaningful data. This is 
a disruption of communication as opposed to compromised security. 

e) In this and the next items, we show security against multi-qubit emission attack. 
Suppose a qubit source used by Alice is imperfect and for each intended qubit it 
creates múltiple replicas in exactly the same state as the original. This can create a 
severe security problem in BB84: Eve can capture and preserve a replica qubit and 
wait until the angle information is announced on the públic channel. She then can 
perform measurement in the correct basis and recover the data. This cannot happen 
in Protocol 2 because no such information concerning the data carrying qubits is ever 
sent. Only in Protocol 1, angle information about the check qubits are sent on the 
públic channel. This cannot give away information about Bob's data. We will deal 
with the check qubits when we analyze Protocol 1. 

f) Another attack using múltiple qubits is the following: In Step 3, Protocol 2, Alice 
sends qubits to Bob. Because of the multiple-qubit imperfection, Eve can capture 
and preserve a qubit replica for each original qubit Alice sends. During the execution 
of protocol 1, the check qubits are identified, therefore Eve can throw them away. She 
keeps the non-check qubits which are intended for carrying data. In the return trip, 
Bob sends the data carrying qubits encoded with his data. Not knowing the qubit's 
angles, Eve cannot extract any information from the replicas she received from Alice 
nor from the originals or replicas she receives from Bob. (Now assume Protocol 1 is 
not perform in the return trip at Step 4.) Eve can drop Bob's qubits and insert her 
own. These are the replicas she kept now encoded with her fake data. This data can 
be received and understood by Alice. This attack affects the integrity of data rather 
than its confidentiality. 

However, this attack cannot succeed because of using Protocol 1 at Step 4. At Step 
4, Bob sends his qubits (|'0i)'s) along with the check qubits (|^>j)'s) he inserts in the 
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frame. Eve who receives all these qubits has no information about the position of these 
qubits. Therefore she cannot replace the non-check qubits with her own. She can at 
best make a random guess about the position of N non-check qubits and attempt to 
replace them. Eve must be at least 1 in ( N ~j^ M ) lucky to succeed. This means that by 
a choice of sufhciently large N and M, her luck can be made completely insignificant. 
Remember that these two parameters can be set to exceed any given numbers. If 
necessary, an appropriate padding algorithm can extend the length N of Bob's data 
to a required minimum. Therefore, we have justified the use of Protocol 1 in Step 4, 
and thus removed the possibility of using multiple-qubit attack. 

Up to now, we have discussed the various ways Protocol 2 can be attacked, and have 
shown that none can succeed. As it was seen, the security of Protocol 1 was a key assump- 
tion. In the next section, we turn to analyzing this assumption. 

4.2 Analysis of Protocol 1 

We show that Protocol 1 allows Alice to send Bob authenticated qubits. Authenticity 
of these qubits are essential for guaranteeing the security of Protocol 2. It is easy to see 
that Protocol 1 works correctly if Eve is not present. 

Suppose Alice sends to Bob a frame oí N + M qubits using Protocol 1. The idea is 
that Eve cannot interact with the qubits with vanishing probability of being detected by 
Bob. According to Propositions 3 and 4, because of the special choice of p^s and Ok's, 
if Eve performs a measurement (possibly after an arbitrary rotation) on any one of the 
check qubits, the probability that her action produces an error detectable by Bob is at least 
F e = 1/4. 

Now suppose Eve decides to inspect L qubits at random in the frame. The probability 
that out of L qubits, k are check qubits is as follows: 



Prob(Eve picks k check qubits) 



\L-k 



)(' 



en 



The probability that Eve goes undetected given she inspeets k check qubits is as follows: 

Prob(Eve undetected | k) = (1 - P e ) k ■ 

Therefore the probability that Eve's interaction is detected when she inspeets L qubits in 
the frame at random is: 

L { N ) ( M ) 

Prob(Eve undetected when she inspeets L qubits) = 5^(1 — Pe) k 7M+m ■ (3) 

k=o v L ) 

It is easy to compute, either by using Equation (j3J) or directly, the following extreme cases: 

I. Eve decides to inspect all qubits in a frame. The probability that her action is not 
detected is: 

Prob(Eve undetected) = (1 - P e ) M . 

If she succeeds, she has been able to measure all N qubits that were supposed to be 
protected. This event can be made arbitrarily improbable by increasing the number 
of check qubits M. 
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II. Eve decides to inspect only one qubit in a frame. The probability that her action is 
not detected: 

ProbíEve undetected) = 1 — . 

y ' N + M 

If she succeeds, at best she has been able to measure only one of the N qubits. The 
probability of this event can only be made as small as (1 — P e ) by increasing M. 

In both cases, increasing M implies decreasing the probability that Eve is not detected. 

In another attack on this protocol, Eve does not measure the qubits but attempts to 
replace them with her own. Suppose she wishes to send L qubits of her own. She must 
choose L < N qubits in the frame to be replaced. Lack of any knowledge about the position 
of check qubits makes her guess randomly. She will be lucky if she selects none of the check 
qubits. The probability of this event is (^) This probability can be made a small as 

desired by choosing a sufnciently large number M of check qubits. In general, by increasing 
parameter M, we can make the probability that Eve's measurement or replacement of L 
qubits goes undetected as small as desired. 



5 Conclusion 

We introduced and analyzed two novel quantum protocols that together allow a secure 
transfer of classical data bits. The first protocol enables Alice and Bob to exchange authen- 
ticated qubits. The second protocol, which makes use of the first one, enables Alice and 
Bob to exchange data bits securely. The combination has the following mèrits: 

a) It can send data over the quantum channel securely. This is especially useful in key 
distribution applications where keys are generated in advance rather than on the fly 
BB84 and its variants cannot transfer predetermined keys. 

b) In BB84, some information leaks out, therefore a process called privacy amplification 
is required by that protocol. In our protocol, no information about the data leaks 
out. 

c) Our protocol, unlike BB84, is not vulnerable to multi-qubit emission attack. 

One disadvantage of our protocol is its round trip requirement. This is a price to pay to 
protect against multi-qubit emission attack. While we have discussed most probable attack 
scenarios, there is more to be done to prové the unconditional security of this protocol. 



Appendix A 

Claim 1 We show that for all a, if 

1 2/C7T 

n>2, Pk = —, ®k = j for k = 0, 1,2, . . . , n — 1. 

n n 

then the following holds: 

0k~ a . 2 6 k - a 



n—l ü n—1 

Pkcos -^— = 2^PkSm . (4) 



k=0 k=0 
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Proof. Equation Q implies: 



n-l 



^p fc cos(6>fc - a) = 0. 

k=0 

Note that the left hand side of the above equation can be written as: 

n-l 



^p fc r efe • r a = 0, 



fc=o 



where rg fe and r a are two units vectors located at the origin in the xz-plane making an angle 
9k and a with the z-axis, respectively. The above equation must hold for any r a , therefore 
we must have: 



n-l 



Y^Pk*6 k =0, 



If we set Pk = è: then we must have: 



k=0 



n-l 



k=0 



This can be made true by setting: 



2kir 

9k = , for k = 0, 1, 2, . . . , n — 1. 

n 

The claim is proved. O 
Claim 2 Proposition^Jis true. 

Proof. The error probability given in Equation© can be re- written using trigonometric 
identities as: 

1 1 n ~ 1 

Prob(error) = - — - pk [cos 2 8k cos a + cos 9k sin 9k sin a] . 
fc=o 

By setting Pk = ^, and = 2 ^ 2L , we arrive at: 

1 1 2 2 ^ C7r 1 
rrob(error) = > cos cosa > 



1 1 ^-^ o 2k~ïï 1 2fc"7T 

> cos cosa y cos sin sma. 

2 2n ' n 2ra ' n n 
fc=o fe=o 



Now note that for any n > 2: 

E2A;7r 2kir 
cos sin = 0. 
n n 

k=o 

This can be easily verified by noticing that for i > the terms corresponding to k = i and 
k = n — i cancel each other out. For k = 0, the term is already zero, and when n is even, 
the term corresponding to k = n/2 is also zero. 
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Other the other hand, notice that for any n > 1: 

E' 2 n 
cos = — . 
n 2 

fc=0 

This is true because: 



2klT 1 v— \ /a 4/í!7I\ n 1 ï— r 4&7T 



cos ■ 



COS = - > 1 — COS ) = > L_. 

n 2 ^ y n 1 2 2 ^ n 

k=0 k=0 k=0 

n— 1 „ 4fc7r 



(It can be easily shown that ^fc=o cos ~n~ = ^0 Therefore, finally: 



. 1 1 1 

Prob(error) = cosa > -, 

v ; 2 4 ~ 4' 



with equality when a = 0. O 
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